Security Equivalence Assessment between Cloud Standards by Mapping of Control Items

The rise of new industries, such as the Internet of Things and Smart Healthcare, has brought many cross-cloud business opportunities for cloud computing and posed new challenges to the cloud security. Traditionally, security can be assessed by compliance checking when selecting cloud services. However, when facing cross-cloud security requirements, even if passing the compliance checking, it cannot prove that different clouds have the same security level since they pass different standards. Therefore, security equivalence assessment of different security standards is a fundamental issue. In order to solve the issue automatically, we first transform it into the problem of mapping between control items with respect to different standards. Then, we define three tasks to work out the mapping problem: a task for mapping searching and two for new mapping establishing. Next, we collect, organize, and expand a dataset of mappings between control items containing 21 standards and more than 100,000 pieces of mapping data. Subsequently, we experiment with four well-known models for each task to test their performance on the dataset of mappings: TF-IDF, Word2vec, BERT, and GPT-Neo. Experimental results indicate that the current models can perform very well on the first two tasks but need to be better on the last task.